Feeding your TRIRIGA information needs

Tag Archives: Cross-Site

In this day and age, security is a very hot topic. As soon as one vulnerability is addressed and mitigated, another one is found. It is a vicious circle of identifying and addressing vulnerabilities that does not seem to let up. In our fix pack release notes, information regarding the mitigation of vulnerabilities that were addressed without an APAR is listed. And sometimes, a vulnerability is addressed as an APAR.

The reason I am mentioning security vulnerabilities is that sometimes, when they are resolved, there is an impact on existing functionality, which may not always be clear. Sometimes, the result of fixing vulnerabilities can “change” functionality. As an example, in the TRIRIGA 3.5.2 release, external URL navigation items will now open in a new window to avoid cross-origin scripting vulnerabilities…

As the product develops and security vulnerabilities are found and addressed, it could mean a change in how something works. Reading the release notes can be a source of information, but it may not always be clear why something changed. We all know change is hard, especially when we are so used to it working in a certain way. I don’t know about you, but if the change was made to address a security vulnerability, I can live with that and accept the change.

[Admin: This post is related to the 04.07.17 post about APAR IV94912 where “External URL” navigation items may no longer work. To see other related posts, use the Security tag or Vulnerability tag.]

The IBM TRIRIGA Application Platform is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the web UI, thus altering the intended functionality and potentially leading to credentials disclosure within a trusted session.

With IV82436, in order to prevent cross-site request forgery (CSRF), the KNOWN_REFERRER_LIST was introduced in TRIRIGAWEB.properties. However, if the KNOWN_REFERRER_LIST is set, it does not allow you to download the floor plan graphic of a location record. When you right-click the graphic, and select to export as PDF, you get an error: “Sorry, your session has either timed out or is no longer active. For security reasons you have been redirected to this page. Please sign in again to continue.” Signing back in does not start the download either.

As a temporary fix, leave the KNOWN_REFERRER_LIST blank in TRIRIGAWEB.properties. Otherwise, if the KNOWN_REFERRER_LIST is set, graphics sections will not allow exports. Moving forward, graphic sections can now be exported when the KNOWN_REFERRER_LIST property is set.

Reflected cross-site scripting (XSS) vulnerabilities stem from the data in a request being echoed unsafely into an application’s response. Attackers can construct requests which will cause JavaScript code supplied by the attacker to be executed on the user’s browser and within the context of their current session. This might mean that the attacker would have access to their session tokens, could log their keystrokes, or launch a network scan from the users browser. An attacker may exploit this vulnerability in conjunction with a cross-site request forgery (CSRF) attack, or by providing a maliciously crafted link to a user in an email, chat, or webpage.

The impact of this vulnerability is contingent upon the function of the application. In addition to session hijacking, if the application uses broadly scoped cookies, the vulnerability may lead to widespread account compromise, data loss, and potential theft. A vulnerability of this type might be leveraged in a phishing campaign to exploit the trust and goodwill that users have in Apple in order to perform malicious attacks on the user.

Multiple parameters to “WebProcess.srv” were found to be vulnerable to reflected XSS when the “objectId” and “actionId” parameters are set to “840000” and “750812”, respectively.

Using the trustee account (external.trustee.02) and the image upload functionality within the Maintain User Profile page, it was possible to upload an HTML file containing JavaScript when the file was renamed to JPG.

The IBM TRIRIGA Application Platform is vulnerable to cross-site scripting (XSS), caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s web browser within the security context of the hosting website, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

The IBM TRIRIGA Application Platform is vulnerable to cross-site scripting (XSS), caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s web browser within the security context of the hosting website, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

—

[Admin: This post is related to the 04.04.16 post about vulnerabilities and fixes. To see other related posts, use the Vulnerability tag.]

Some state-changing actions are not having the security token properly enforced, which can be a potential CSRF exposure. CSRF attacks with no token can generally be addressed by using the KNOWN_REFERRER_LIST property in the TRIRIGAWEB.properties file.

We added security validation to several pages throughout the platform. The issue has been resolved.